0.5 orangecon-2024 2024-09-05 2024-09-05 1 00:05 https://pretalx.com Europe/Amsterdam Main track Talk 2024-09-05T09:15:00+02:00 09:15 00:05 Welcome to Orangecon! orangecon-2024-54605-orange-is-the-new-black Main track /media/orangecon-2024/submissions/SVTD8P/logo_white_OXLjDnF.png Fish_, Cherry and Stef en Oranges: The Juicy Heartbeat of Innovation and Well-being Prepare to embark on a vibrant journey into the world of one of nature's most extraordinary gifts—Oranges! As we gather here today, let us peel back the layers of this citrus marvel to reveal the rich tapestry of innovation, health, and cultural significance that it brings to our lives. This kick-off will be an exhilarating exploration of the orange's journey from grove to greatness, celebrating its role as a catalyst for health, culinary creativity, and economic vitality. false https://pretalx.com/orangecon-2024/talk/SVTD8P/ https://pretalx.com/orangecon-2024/talk/SVTD8P/feedback/ Main track Talk 2024-09-05T09:20:00+02:00 09:20 00:40 Winn’s keynote is a call to action. Winn challenges us with a new goal: Strengthen and defend the human mental immune system. Our brains, sensory nervous systems, and minds are the new attack surface. Will the hacker community rise to the challenge of solving the most existential threat it has ever faced? orangecon-2024-54446-cybersecurity-s-new-imperative-metawar-defending-the-cognitive-infrastructure Main track Winn Schwartau en A long time ago, on June 27, 1991, Winn testified before the US Congress and was asked, “Mr. Schwartau: Why would the bad guys ever want to use the internet?” Today, our cognitive infrastructure is under attack, and humanity needs hackers more than ever. Metawar is the art and science of creating immersive experiences to influence, alter, and define one’s sense of reality. It is the battle for control over one’s belief systems, identity, and sense of reality outside one’s conscious awareness. Reason and emotion are incompatible operating systems. Big Tech is digitally terraforming the planet’s future cognitive infrastructure, Web 3.0, with little concern for the downsides. The metaverse is an evolving, immersive storytelling environment designed to be the most powerful and addictive reality distortion machine ever conceived. It will also predict and anticipate your every desire and every move! On the global stage, metawar represents the sixth domain of warfare.⁠1 They who control the technology control the narrative, and reality is only a keystroke away. We have no choice but to learn how to coexist with the reality-distorting technologies we have created by implementing technical, policy, and cognitive defenses to protect our sense of truth, reality, and self-identity. Winn’s keynote is a call to action. The hacker community is among the best problem solvers the planet has ever seen. It acts as a team, a collective of like-minded individuals with an amazing array of skills who stop at nothing to achieve their aims—against all odds. Winn challenges us with a new goal: Strengthen and defend the human mental immune system. Our brains, sensory nervous systems, and minds are the new attack surface. Will the hacker community rise to the challenge of solving the most existential threat it has ever faced? false https://pretalx.com/orangecon-2024/talk/XVEWPL/ https://pretalx.com/orangecon-2024/talk/XVEWPL/feedback/ Main track Talk 2024-09-05T10:00:00+02:00 10:00 00:30 During the first Pwn2Own Automotive, organised by ZDI in Tokyo in January 2024, Computest Sector 7 successfully demonstrated exploits for vulnerabilities in three different EV-chargers. All three could be exploited to execute arbitrary code on the charger, with the only prerequisite being close enough to connect to Bluetooth. orangecon-2024-52807-low-energy-to-high-energy-hacking-nearby-ev-chargers-over-bluetooth Main track Daan Keuper en As electric vehicles become increasingly integrated into our transportation infrastructure, the security of their charging systems is becoming paramount. A threat actor hacking EV chargers at scale could have a real life impact on the continuity of our power grid and the transportation sector. Therefore, it is important that manufacturers and operators are well aware of their role in protecting our power grid. This year we demonstrated several zero day attacks against commonly used EV chargers during the international Pwn2Own Automotive competition. Most of these vulnerabilities were very easy to find once the firmware was extracted. The lack of mitigations against binary exploitation meant writing the exploits was also straightforward. In this talk, we will explain the vulnerabilities we found, the exploits we developed and what lessons about IoT security in general can be learned from this. false https://pretalx.com/orangecon-2024/talk/FSCA3A/ https://pretalx.com/orangecon-2024/talk/FSCA3A/feedback/ Main track Talk 2024-09-05T11:00:00+02:00 11:00 00:30 Penetration testing can vary widely in execution, sometimes providing clear insights, and other times leaving much to be desired. For clients, these tests are essential for ensuring product security and often hold significant audit value. The COVID-19 crisis revealed a powerful opportunity: enhancing client assurance through more transparent and reliable pentests, a necessity increasingly driven by evolving legislation. This realization sparked the creation of a groundbreaking collaboration. Clients, software developers, pentesters, auditors, and information security researchers now join forces in a unique alliance. Our mission? To empower every knowledgeable professional to contribute, ensuring that every crucial aspect is thoroughly examined. Welcome to the Methodology for Information Security Research with Audit Value – a comprehensive, participatory approach that elevates the standards of penetration testing. Embrace this innovative methodology and transform how you achieve security and compliance! orangecon-2024-54030-making-penetration-testing-auditable Main track Brenno de Winter en ### Unveiling a Revolutionary Approach to Penetration Testing: The Methodology for Information Security Research with Audit Value In the ever-evolving landscape of cybersecurity, penetration testing has become a cornerstone for ensuring product security and compliance. However, the methods of conducting these tests can vary significantly, sometimes offering clear insights and other times leaving much to be desired. Clients rely on these tests not only for assurance but also for their crucial audit value. The recent COVID-19 crisis highlighted a vital need: enhancing client assurance through more transparent and reliable penetration tests, a necessity increasingly driven by stringent legislation. #### A Unique Collaboration for Enhanced Security This realization led to the formation of a groundbreaking collaboration, bringing together clients, software developers, pentesters, auditors, and information security researchers. Our innovative approach is designed to empower every knowledgeable professional to contribute, ensuring that every critical component is thoroughly examined. Welcome to the Methodology for Information Security Research with Audit Value. #### Focusing on Open Standards Our methodology is rooted in open standards, promoting transparency, interoperability, and innovation. By adhering to these standards, we ensure that our approach is not only robust but also adaptable to various environments and requirements. Open standards facilitate a common language and framework, making it easier for all stakeholders to collaborate and for solutions to integrate seamlessly. #### Addressing Requirements and Consequences The Methodology for Information Security Research with Audit Value goes beyond merely meeting requirements. It provides a clear understanding of the consequences if certain aspects are missing, ensuring that clients are fully informed of potential risks and impacts. This comprehensive approach includes: - **Procurement Requirements**: Ensuring that all inkoopeisen (procurement requirements) are met with precision, helping clients make informed decisions when acquiring new products or services. - **Legal Aspects**: Addressing all juridische aspecten (legal aspects) to ensure compliance with relevant laws and regulations, thereby minimizing legal risks and liabilities. #### Providing Comprehensive Compliance Tools Our methodology equips you with everything needed to achieve and maintain compliance. From detailed guidelines and best practices to thorough checklists and audit trails, we provide all the tools necessary to ensure that nothing is overlooked. This includes: - **Detailed Guidelines**: Step-by-step instructions and best practices to guide you through every stage of the penetration testing process. - **Thorough Checklists**: Comprehensive checklists to ensure all critical aspects are covered, leaving no room for oversight. - **Audit Trails**: Robust audit trails that document every action and decision, providing transparency and accountability throughout the testing process. #### Transforming Security and Compliance Embrace this innovative methodology and transform the way you achieve security and compliance. The Methodology for Information Security Research with Audit Value represents a comprehensive, participatory approach that elevates the standards of penetration testing. By focusing on open standards, addressing requirements and their consequences, and providing all necessary compliance tools, we ensure that your security measures are not only effective but also thoroughly documented and auditable. Join us in pioneering a new era of cybersecurity. Discover the future of penetration testing with the Methodology for Information Security Research with Audit Value, and ensure that your security practices are second to none. false https://pretalx.com/orangecon-2024/talk/EFL9RJ/ https://pretalx.com/orangecon-2024/talk/EFL9RJ/feedback/ Main track Talk 2024-09-05T11:30:00+02:00 11:30 00:30 Thought you knew how the Windows Registry worked? We have some tricks up our sleave to abuse the Remote Registry for extended remote reconnaissance and moving laterally to other systems, even bypassing typical remote UAC restrictions to gain code execution. orangecon-2024-53225-the-registry-rundown Main track /media/orangecon-2024/submissions/C8PRBG/Wire_2024-07-10_at_09-46-08_S9XrsVF.png Cedric Van BockhavenMax Grim en The talk will cover the basics of the Windows Registry and its structure, including the different hives (e.g. HKLM, HKCU) and their purpose. We will then delve into the different ways the registry can be accessed, both locally and remotely. Lots of informaton can be gathered from a remote system via the Remote Registry, such as installed software, configuration, and user activity. All using the privileges of a regular domain user without local administrator permission. We will share some interesting findings that we came across that facilitate lateral movement via the registry (bypassing remote UAC). We also successfully used the Remote Registry service to bypass typical jumpbox restrictions that normally don’t allow the user to login via RDP directly. false https://pretalx.com/orangecon-2024/talk/C8PRBG/ https://pretalx.com/orangecon-2024/talk/C8PRBG/feedback/ Main track Talk 2024-09-05T12:00:00+02:00 12:00 00:30 We read regularly in the news that critical infrastructure or OT networks should be better secured. We learn about APTs attacking these networks, or the latest ICS zero day vulnerabilities demonstrated during Pwn2Own. Mostly advanced attacks, which could feel overwhelming and hard to defend against, but is this actually true? If we think a bit longer about this we can come up with the following questions: - Are these actually the biggest threats to your OT environment you should be focusing on? - Should we just accept OT networks are insecure and could be easily hacked? - Or is there something that could be done to improve the security of these environments? During this talk we will try to answer these question by combining threat intelligence and first hand security testing experience of OT environments and systems. We will share common vulnerabilities or configuration weaknesses and recommendations for improvements. Hopefully, after this talk you have the feeling not all is lost, and there is still a lot of room for improving the security of OT networks and systems. orangecon-2024-54048-securing-ot-too-hard-or-not-for-me Main track Erwin Paternotte en Presentation outline: - Introduction - Why is OT different from IT? - OT threats - Targeted (critical infrastructure) vs non targeted (generic OT) - Example threat scenarios: - Ransomware - (Preposition for) sabotage - Supply chain and suppliers - Internet connected OT devices and hacktivists * Security testing OT * Why is this different? * Approach * Common vulnerabilities and weaknesses * Network design & security architecture * Purdue model * firewall configuration * Virtualisation * Switching infrastructure * Windows systems * Active Directory * Vulnerabilities * Hardening * HMI, PLC, sensors and actuators * Weak or default passwords * Vulnerabilities * Insecure protocols * Conclusions & recommendations * Questions false https://pretalx.com/orangecon-2024/talk/DSMSJH/ https://pretalx.com/orangecon-2024/talk/DSMSJH/feedback/ Main track Talk 2024-09-05T13:30:00+02:00 13:30 00:30 Protecting Hundreds of Organizations Against AiTM: Lessons Learned" dives into the evolving threat of AiTM) attacks. Our presentation highlights the transition from basic phishing tactics to sophisticated methods that compromise organizational security. The presentation outlines the journey from oldschool phishing attacks, to phishing framework like UADMIN, and the introduction of tools like Evilginx. And now the SaaS providers allowing anyone to buy access to an AiTM platform. We’ve introduced a free method of detecting AiTM attacks. Which has allowed us an insight into the scale of AiTM attacks atleast against Microsoft M365 tenants. This prompted the development of a fingerprinting tool to gain an insight into the different actors performing these attacks and typical methods they employ. We give an insight into a popular AiTM SaaS platform and the revenue stream hosting such software creates. The session ends by outlining common techniques to prevent these types of attacks. Most organizations use M365 and experience attacks using AITM to bypass MFA. At the same time SaaS providers are building AITM services that allow targeteted attacks allowing for supply chain attacks (AITM targeted against admin sites for: pypi, npmjs and rubygems). At the same time used for very specific scams for example against booking.com. Attackers use the booking.com hotel login to extract creditcard information for upcomming hotel guests. orangecon-2024-51030-protecting-organizations-against-aitm-lessons-learned Main track Rik van DuijnWesley en There’s been an uprising in the amount of AITM based attacks. BEC fraud operators use it as MFA is more and more common. But the apearance of SaaS providers in the AITM space make these attacks easier to perform and therefore making them more common. Booking.com has been a popular target allowing attackers to use the hotel operator login to phish creditcards by sending upcomming guests reminders to pay. The fact that these reminders are sent via the booking.com app makes them super trustworthy. At the same time environments such as M365/EntraID are popular targets for other operators. This past year we’ve been trying to prevent and detect these types of attacks. The goal of the presentation is make attendees aware of the risks, the different operators and types of attacks happening today. false https://pretalx.com/orangecon-2024/talk/ZEXPCK/ https://pretalx.com/orangecon-2024/talk/ZEXPCK/feedback/ Main track Talk 2024-09-05T14:00:00+02:00 14:00 00:30 As an (offensive) security professional, building tools to support your operations is no longer optional. Not only do you need custom malware to stay undetected on your target, the large scope of modern environments requires many different variants of automation to stay ahead. This talk will discuss what having an "Offensive Development" capability means, how modern languages like Rust or Go can help (or work against you), and how to take your code beyond PoC with some good development practice. orangecon-2024-52206-offensive-development-in-modern-languages Main track Cas van Cooten en As a security professional, building tools to support your operations is no longer optional. Offensive specialists need to build advanced and custom malware to effectively stay under the radar and simulate threats, and effectively automate full attack workflows to cover large scopes and ensure repeatable results. In this talk, Cas will explore the concept of "Offensive Development", how it differs from malware development, and how choosing the right language from modern programming languages such as Rust, Golang, Python and Nim can significantly impact your tools (and your sanity). Cas will provide insights into the strengths and weaknesses of each language, supported by case studies that highlight their practical, real-world applications in offensive security. These case studies will also highlight the importance of good developer practice to ensure your next repository doesn't have to contain a disclaimer that says "POC CODE - DON'T RUN IN PRODUCTION" ;) This talk is designed for both seasoned offensive security professionals and beginners with a foundational technical understanding. It will provide valuable insights not only for red teamers but for the broader security industry, emphasizing the importance of automation and a development mindset in today's complex security landscape. false https://pretalx.com/orangecon-2024/talk/CTQP8R/ https://pretalx.com/orangecon-2024/talk/CTQP8R/feedback/ Main track Talk 2024-09-05T14:30:00+02:00 14:30 00:45 While Microsoft Entra Primary Refresh Tokens remain mostly undocumented, on Windows there has been quite some research in how they work and how they can be attacked or protected. Despite several hiccups (read: vulnerabilities) in getting there, the implementation is now mostly secure if you have a Trusted Platform Module (TPM). On other platforms, the Primary Refresh Token is also used but its implementation is undocumented. We decided to investigate how Microsoft implemented Primary Refresh Tokens on MacOS, how they are protected and how hard (or easy) it is for attackers to steal them. During the investigation, we encountered more undocumented protocol features, leading to the discovery of deviceless Primary Refresh Tokens (PRTs). These deviceless PRTs, which as the name implies are only tied to a user and not a device. In some environments this might already be enough for an attacker to achieve their goal, since these PRTs could be obtained during phishing. In this session, we will talk about the PRT internals, their protection on MacOS, and on the current and new PRT implementation Microsoft introduced using the Platform SSO capabilities. orangecon-2024-54472-attacking-primary-refresh-tokens-using-their-macos-implementation Main track Olaf HartongDirk-jan Mollema en While Microsoft Entra Primary Refresh Tokens remain mostly undocumented, on Windows there has been quite some research in how they work and how they can be attacked or protected. Despite several hiccups (read: vulnerabilities) in getting there, the implementation is now mostly secure if you have a Trusted Platform Module (TPM). On other platforms, the Primary Refresh Token is also used but its implementation is undocumented. We decided to investigate how Microsoft implemented Primary Refresh Tokens on MacOS, how they are protected and how hard (or easy) it is for attackers to steal them. During the investigation, we encountered more undocumented protocol features, leading to the discovery of deviceless Primary Refresh Tokens (PRTs). These deviceless PRTs, which as the name implies are only tied to a user and not a device. In some environments this might already be enough for an attacker to achieve their goal, since these PRTs could be obtained during phishing. In this session, we will talk about the PRT internals, their protection on MacOS, and on the current and new PRT implementation Microsoft introduced using the Platform SSO capabilities. false https://pretalx.com/orangecon-2024/talk/GMGBGE/ https://pretalx.com/orangecon-2024/talk/GMGBGE/feedback/ Main track Talk 2024-09-05T15:45:00+02:00 15:45 00:40 Apache HTTP Server, as a cornerstone of the entire World Wide Web, accounts for about one-third of the web server market share worldwide. It's not an overstatement to say that its security is synonymous with the security of the Internet. However, while delving into the source by chance, we discovered that the coding style of this open-source project seemed a little bit... open? This research was thus born! The Apache Httpd is comprised of dozens of different modules, which are coupled together. When a new HTTP request arrives, all modules uphold and maintain a colossal structure, collaborating in harmony to complete the request. While this cooperation might sound ideal, the reality reveals a significant challenge: the modules are not entirely familiar with each other, especially regarding the implementation details. However, they are asked to collaborate to fulfill the task. If any module has an incorrect understanding of any fields of this huge structure, it could potentially lead to fatal issues. This observation led us to focus on interactions between modules, and discover this new attack surface. Let's see how a seemingly harmless structure modification can be passed through layers, amplifying the impact and affecting other modules to become vulnerabilities. This novel attack surface unearthed 3 distinct types of Confusion Attacks and 8 vulnerabilities, which allow us to navigate easily between Httpd modules, generating various attacks based on the different functionalities of modules: from the simplest arbitrary source code disclosure to misinterpreting a normal image as malicious scripts, bypassing ACL, and enabling unlimited SSRF. Of course, we won't forget about RCE, we will demonstrate how a long-underestimated bug type can be transformed into code execution by leveraging Httpd's internal features! By understanding this talk, attendees won't be surprised at how we've managed to teach an old dog new tricks. Developers will understand how to avoid writing problematic Httpd modules. Server Admins can utilize this knowledge to examine their sites for potential vulnerabilities, and security researchers are able to explore more hidden issues along this direction. It's a scenario where everyone wins! orangecon-2024-53442-confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server Main track Orange Tsai en ## 1. Methodology and Our New Attack Surface We focus on exploring the interactions between Apache Httpd modules, as mentioned in the abstract. Apache Httpd is a world constructed of modules, even the official documentation highlights that: *URL: https://httpd.apache.org/docs/2.4/mpm.html* > Apache HTTP Server 2.0 extends this modular design to the most basic functions of a web server. Httpd modules are free to register hooks to the phases they're interested in. An HTTP request will **walk through** all modules, and at each stage, it's up to the modules to decide whether to ACCEPT or REJECT the current request. An issue arises from the fact that: > Modules do not fully understand each other's implementation details. However, they are asked to collaborate to complete the entire HTTP process. For an HTTP request, all modules share and maintain an internal data structure `request_rec` with nearly a hundred members. If there is an ambiguity in understanding the same structure member among modules, it can easily lead to problems. Similarly, if a module mistakenly modifies a member that is insignificant to it but crucial to another module in this shared structure, it might affect other modules' decisions and cause problems, too! ## 2. Proposed THREE Attacks and EIGHT New Vulnerabilities Based on the concept mentioned above, we have created 3 distinct types of Confusion Attacks on Apache HTTP Server: 1. **Filename Confusion Attack**: For a same HTTP request, some modules treat `r->filename` as a URI, while others treat it as a filesystem path. This inconsistency causes security issues such as source code disclosure or ACL/Authentication Bypass. 2. **DocumentRoot Confusion Attack**: For any RewriteRule Mapping, Httpd would try to access both the relative path and absolute path. This leads to unintended files accessing outside the DocumentRoot. 3. **Handler Confusion Attack**: For the same `request_rec` structure, under certain conditions, `r->content_type`, `r->handler`, and `r->filename` are interconnected and can be transformed into each other, leading to security issues such as SSRF or RCE. These Confusion Attacks can be transformed into different types of vulnerability classes. So far, we have uncovered 8 vulnerabilities in Apache HTTP Server, including: 1. **CVE-2024-38477 - important**: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request 2. **CVE-2024-38476 - important**: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect 3. **CVE-2024-38475 - important**: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path 4. **CVE-2024-38474 - important**: Apache HTTP Server weakness with encoded question marks in backreferences 5. **CVE-2024-38473 - moderate**: Apache HTTP Server proxy encoding problem 6. **CVE-2024-38472 - important**: Apache HTTP Server on Windows UNC SSRF 7. **CVE-2024-39573 - moderate**: Apache HTTP Server: mod_rewrite proxy handler substitution 8. **CVE-2023-38709 - moderate**: Apache HTTP Server: HTTP response splitting You can check the [Apache HTTP Server website](https://httpd.apache.org/security/vulnerabilities_24.html) for details! Our presentation will focus mainly on vulnerabilities #2, #3, #4, #5 and #7. The impacts include, but are not limited to: - Sensitive Information Leakage - Denial-of-Service Attack - ACL and Authentication Bypass - Arbitrary Server-Side Source Code Disclosure - Arbitrary File Read - SSRF (Server-Side Request Forgery) - RCE (Remote Code Execution) ## 3. Demo We will demonstrate how a long-underestimated bug type can be transformed into powerful exploits, including Info-Leak, SSRF, and RCE by leveraging Httpd's internal features. This breakthrough is powered by our innovative Confusion Attack technique, enhancing our capability to intricately navigate and manipulate Httpd modules. ## 4. Previous Work As far as I know, attacks that specifically target the inconsistencies within Httpd's internal structure have been rare. The only closest discussion on this topic was presented by Max Dmitriev at ZeroNights 2021: *Title: Apache 0day bug, which still nobody knows of, and which was fixed accidentally* *Slide: https://tinyurl.com/bdxdfk8j* However, the discussion did not extensively explore this avenue. The publicly available bug description suggests that the real issue was not precisely identified. > "...a lack of control over an Apache error when using php-cgi and ModSecurity..." In reality, any handler based on `Content-Type` should be vulnerable, indicating that not only php-cgi but also the widely utilized mod_php could be at risk. ## 5. Notes The issues we have identified are present in the core modules of Apache Httpd, not in third-party modules that are rarely or never installed. :) false https://pretalx.com/orangecon-2024/talk/YZRPBK/ https://pretalx.com/orangecon-2024/talk/YZRPBK/feedback/ Main track Talk 2024-09-05T16:25:00+02:00 16:25 00:30 To be announced/It's gonna be a surprise. orangecon-2024-54456-closing-keynote-u-matter Main track Inge Bryan en To be announced/It's gonna be a surprise. false https://pretalx.com/orangecon-2024/talk/DKGN93/ https://pretalx.com/orangecon-2024/talk/DKGN93/feedback/ Second track Talk 2024-09-05T11:00:00+02:00 11:00 00:30 This talk is about the hidden devices that connect you, which are not often in the spotlight but frequently in many places: SMB network appliances. Specifically, my research has focused on Cisco Meraki wired routers and wireless access points. Secure boot is the most widely used technology to ensure the integrity of a device’s boot chain. Adversaries, both criminal and state-sponsored, are moving down the software stack and closer to firmware to gain persistence and evade detection. However, secure boot is only as strong as its weakest link, which is often the vendor implementing it. Recently, it has become apparent that some vendors have not been adequately securing, or even changing the example keys used to sign their firmware; the so-called PKFail. The talk will focus on the following: * The current state of Cisco Meraki’s device security model, spanning multiple devices and product generations * Mistakes made in implementing secure boot, allowing for execution of unsigned code on devices employing secure boot Come and find out if the teleworker gateway, or the wireless router used in your child’s school, are really as secure as the manufacturer claims they are. And is the intent behind securing these devices really to prevent adversaries from compromising them, or more to protect the profits of the manufacturer selling them? orangecon-2024-54415-securing-devices-or-profits-examining-the-device-security-of-a-network-appliance-vendor Track 2 /media/orangecon-2024/submissions/8QBSMA/photo_4994831697648398911_y_pxM6JkD.jpg Hal Martin en This talk will focus on Cisco Meraki's efforts to secure their recent devices against unsigned code execution, the specific steps they've taken, and details on the mistakes made that allow users to run an open-source firmware like OpenWrt on their device. You can expect photos of hardware disassembly, C code, and disassembler screenshots. I will also go over what steps you can take if you plan to ship an embedded device and want to prevent tampering. Finally, I will discuss over the moral and ethical issues surrounding secure boot, device re-use, and e-waste. false https://pretalx.com/orangecon-2024/talk/8QBSMA/ https://pretalx.com/orangecon-2024/talk/8QBSMA/feedback/ Second track Talk 2024-09-05T11:30:00+02:00 11:30 00:30 When did you last use or analyze a UAC bypass? And did you fully understand its internals? User Account Control (UAC) is a security feature in Windows that limits the set of privileges available to users. And so, bypassing UAC enables threat actors to utilize privileges otherwise not available. A lot of the publicly available UAC bypasses exist, and most of them abuse functionality in COM objects to achieve their goal. However, COM is a largely undocumented part of Windows, making it difficult to truly understand how this process technically works. In 30 minutes, I will teach you the basics of UAC and COM. Largely visualized, I explain how UAC works, what COM is, and how you can communicate with COM objects. As we progress, I explain in an easy-to-follow way how you can exploit COM objects to bypass UAC. Lastly, I demo the exploitation of UAC through COM, and I share the code so you can start experimenting with UAC and COM by yourself. orangecon-2024-53192-elevate-your-skills-from-com-object-fundamentals-to-uac-bypasses Track 2 /media/orangecon-2024/submissions/XFDFLL/test_4oOcuZe.png Tijme Gommers en n/a false https://pretalx.com/orangecon-2024/talk/XFDFLL/ https://pretalx.com/orangecon-2024/talk/XFDFLL/feedback/ Second track Talk 2024-09-05T12:00:00+02:00 12:00 00:30 In a world where user-mode security is often prioritized, vulnerabilities in kernel drivers pose significant risks and can lead to privilege escalation and other severe system compromises. This presentation offers a thorough guide to identifying and analyzing these vulnerabilities. We will examine the impact of kernel driver vulnerabilities, including their exploitation in real-world attacks and their use by red teams. We will demonstrate methods for building a driver database from diverse sources while filtering for only the most promising drivers. We will then delve into the most important technical features of kernel drivers such as user-to-kernel communication, driver architecture, and essential functionionality. Finally, we will elaborate on identifying and assessing many common vulnerability types such as heap overflows, handle leaks, and race conditions. Additionally, we will provide some practical advice on setting up research environments, debugging, and automated analysis to get you set up right away. By the end of the presentation, you'll be equipped to start your own kernel driver vulnerability research. Based on our current results, we expect many vulnerabilities are still to be found! orangecon-2024-54200-exploiting-the-core-a-deep-dive-into-kernel-driver-vulnerability-hunting Track 2 Jan-Jaap Korpershoek en In this talk, we will explore the crucial aspects of finding and exploiting vulnerabilities in kernel drivers, a key area in cybersecurity research. Kernel drivers are core system components, and vulnerabilities in these components can have a large impact on systems. The talk will begin by highlighting the importance of kernel driver vulnerabilities and the impact they can have, demonstrated through real-world examples of malware and threat actor activities. We will share insights from our own research, revealing the prevalence of vulnerabilities in various drivers and the types of vulnerabilities we've encountered. Attendees will learn about all aspects needed to kick-start vulnerability research in this area. This includes building a driver database, understanding different driver types, knowing which ones are most likely to contain exploitable vulnerabilities and recognizing common vulnerability classes. The talk will also cover practical aspects of interacting with drivers, including methods for loading them and understanding the communication interfaces between user and kernel space. This knowledge is critical for understanding the attack surface of drivers. Additionally, we will discuss setting up a research environment and several automated tools to streamline the process of vulnerability discovery. Overall, this talk aims to equip participants with the skills and knowledge needed to start their journey in finding kernel driver vulnerabilities, enhancing their ability to contribute to cybersecurity defenses. Whether you're a beginner or looking to refine your techniques, this session will provide valuable insights into this complex and impactful area of research. false https://pretalx.com/orangecon-2024/talk/LN3EPV/ https://pretalx.com/orangecon-2024/talk/LN3EPV/feedback/ Second track Talk 2024-09-05T13:30:00+02:00 13:30 00:30 How many times do we need to kill the NsaRescueAngel? What's up with this messed up python webserver? Why the hell did this command injection get reimplemented?! Those were my words whilst digging into ZyXEL's NAS326 firmware from which I found multiple zeroday vulnerabilities earlier this year, which this talk will use for a case study and discuss the consequences of bad design and subpar patching. orangecon-2024-53087-an-angel-python-root-and-config-walked-into-a-bar Track 2 Timothy Hjort en The talk will begin with a short story on how the entire process started before proceeding into details on the NsaRescueAngel backdoor (CVE-2024-29972). Once there is a basic understanding of the core requirements set to exploit it we will move along into the authentication mechanisms present. It's flaws, consequences and results (CVE-2024-29974, CVE-2024-29972, CVE-2024-29976). Further on the talk will investigate a python code injection caused by the architectural design of a CherryPy webserver present on the machine (CVE-2024-29973), how the framework design caused the developers to first fix one zeroday found by IBM (CVE-2023-27992) and in a future update reimplement it once more. Finally previous patches performed on the code injection will receive a brief investigation and conclusions for the set questions will be drawn. # Key questions the talk intends to address * What were the actual vulnerabilities I found? * Insight into patterns and trends observed in past CVEs * Can we expect to see more of them? false https://pretalx.com/orangecon-2024/talk/8ZA3CU/ https://pretalx.com/orangecon-2024/talk/8ZA3CU/feedback/ Second track Talk 2024-09-05T14:00:00+02:00 14:00 00:30 This talk will present details of the TETRA:BURST vulnerabilities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio). This European standard for trunked radio is used globally by government agencies, police, military, and critical infrastructure, for applications ranging from voice communications to SCADA telecontrol of energy distribution, oil rigs and train safety systems. Authentication and encryption within TETRA are handled by proprietary cryptographic cipher-suites, which had previously remained secret for over two decades through the use of restrictive NDAs. Last year, we presented the result of a two-year research project, and disclosed both open-source implementations of the secret primitives as well as a first public security assessment of the technology. Several critical vulnerabilities were identified, including a deliberate backdoor. orangecon-2024-53229-all-cops-are-broadcasting-breaking-tetra-after-decades-in-the-shadows Track 2 /media/orangecon-2024/submissions/YWRH7X/tetraburst_HGzmunm.svg Wouter Bokslag en This talk is an overview of the most important of the five uncovered issues, collectively dubbed TETRA:BURST. First, we uncover the presence of a deliberate backdoor in the TEA1 cipher, which is used in critical infrastructure. This backdoor reduces the effective key strength from 80 to 32 bits, rendering it vulnerable to an exhaustive search attack. The demonstrated attack is fully passive, and runs in under a minute. Second, we present a keystream recovery attack which works regardless of the cipher employed, affecting all encrypted TETRA networks. Furthermore, we discuss a de-anonymization attack with counter-intelligence implications and a flaw in the authentication protocol. Additionally, we provide the attendee with background information on TETRA's role in critical infrastructure as a SCADA telecontrol link, and how the TEA1 backdoor proliferated throughout Europe, exposing our critical infrastructure as well as several European military and police users to very severe risks. See [https://midnightblue.nl/tetraburst](https://midnightblue.nl/tetraburst) for more details. false https://pretalx.com/orangecon-2024/talk/YWRH7X/ https://pretalx.com/orangecon-2024/talk/YWRH7X/feedback/ Second track Talk 2024-09-05T14:30:00+02:00 14:30 00:30 Free Taylor Swift tickets. DNA data breached. A $150 million fine for Uber. Phone records of nearly all users of a large US telco stolen. What do these incidents have in common? Stolen passwords. Off course all OrangeCon attendees use multi factor authentication and password managers. But most people don’t. Incidents caused by stolen password are (still) on the rise. According to research, stolen password are used in over 80% of recent IT security incidents. Launching a basic attack is within financial and technical reach of school kids. How to protect against account takeover attacks? Do what the bad guys are doing. And do it better! We have recovered over seven billion unique email/password pairs in the past years. In this presentation we dive into the details of password cracking at scale, and how this data can help you to keep your accounts safe. orangecon-2024-54460-how-to-crack-seven-billion-passwords Track 2 Jeroen van Beek en In this presentation we dive into the process of cracking billions of passwords, and how this data can be used to protect organizations against account takeovers. Covered topics: • Introduction. Many well-known attacks started using credential stuffing and account takeovers. Think about for example TicketMaster and Uber. But what exactly happened? What motivated hackers? What went wrong at the victims? What’s the scale of the problem? • Password blacklisting, email breach notification, password breach notification, what are the differences? Explanation of techniques that power well-known services like HaveIBeenPwnd and products from the tech giants. They might look similar, but they are not. • Why do most well-known defenses do not protect against account takeover attacks? Techniques like rate limiting and anomaly detection are typically not effective. More complex password policies can even work contra-productive. • How to get raw data? For free? Without TOR? Getting raw data is easy. The amount of (semi-)publicly available data is overwhelming. Processing the data is more challenging. • Passwords: how did it all start? History of password storage and password cracking. Lessons (not) learned over the decades. • What’s the right tools for the job? Different password hashing algorithms have different characteristics. Some algorithms were not designed for storing passwords at all. Some other algorithms were specifically designed to not work well on generic cost effective hardware, making cracking extremely slow. How to overcome this? We have built FPGA-based crackers based on ex-Bitcoin miners, to achieve an orders of magnitude speed advantage over conventional hardware. • How to use recovered credentials to protect accounts? So now we’ve got over seven billion email/password pairs. How to use this unique dataset to disrupt cybercrime? • Results and conclusion. false https://pretalx.com/orangecon-2024/talk/VBC9AB/ https://pretalx.com/orangecon-2024/talk/VBC9AB/feedback/ Second track Talk 2024-09-05T15:00:00+02:00 15:00 00:20 In this presentation, we will explore the potential of Microsoft Graph API logs, focusing on its use for enhancing security, insights, and real-world attack scenarios within M365 environments. We begin by detailing the process of obtaining logs. We'll talk about fields which are critical for monitoring and analysis, correlatable fields and useful KQL functions that help. A comparison of delegated vs. application permissions to help attendees understand their distinct attack use cases and best practices. The discussion will move to common attack patterns using Graph API, offering strategies for threat hunting and detection. Real-world stories from the frontlines will illustrate how organizations have successfully utilized Graph API to mitigate security incidents. Additionally, we will also highlight significant contributions from researchers and authors who've done great research in this field. The presentation will conclude with a summary of best practices and actionable insights for leveraging Microsoft Graph API logs to its fullest potential. This session aims to equip security professionals with the knowledge to effectively use Microsoft Graph API logs. orangecon-2024-53945-graph-api-mastery-logs-to-real-world-attacks Track 2 Shiva PParthiban R en Graph API Mastery: From Logs to Real-World Impact Introduction Microsoft Graph API provides a unified endpoint to access Microsoft 365 services, enabling developers to build powerful applications that integrate deeply with the Microsoft ecosystem. This presentation will explore how to leverage Graph API LOGS for enhanced operational security. Obtaining the Logs We will discuss methods to access and retrieve logs from Graph API, focusing on setting up appropriate permissions and using relevant endpoints to gather valuable data. Correlatable Fields & Useful Functions Learn about fields that can be correlated across different logs and systems to create a comprehensive view of user and application activities. We will also cover useful KQL functions for data analysis. Delegated vs Application Permissions Understand the differences between delegated and application permissions, their use cases, and best practices for managing permissions to ensure security and compliance. Attack Patterns and Hunting/Detection Opportunities Explore common attack patterns targeting Microsoft Graph API and discover strategies for threat hunting and detection. We will highlight specific indicators of compromise and techniques to identify malicious activities. From the Frontlines – Real World Stories Real-world examples and case studies illustrating attacks observed on the frontlines, highlighting how organizations could have used Graph API logs to prevent/monitor security incidents. Highlighting other researchers and their work: Highlight contributions from other researchers and authors who have done great work on Microsoft Graph API research. This will include a snippet of who to follow and what they’ve done. Conclusion A summary of key takeaways and best practices for leveraging Microsoft Graph API in your organization. Emphasis on the importance of continuous monitoring and the potential for future enhancements. This session aims to equip security professionals with the knowledge to effectively use Microsoft Graph API logs. false https://pretalx.com/orangecon-2024/talk/PGAYXE/ https://pretalx.com/orangecon-2024/talk/PGAYXE/feedback/ Workshop track 1 Workshop 2024-09-05T11:00:00+02:00 11:00 01:00 In this workshop we will use Ghidra and some famous public samples to identify quick detection engineering wins. orangecon-2024-51300-detect-and-reverse-engineer-quick-wins-for-defenders Workshop track 1 Yassir Laaouissi en If you are interested in Reverse Engineering and Detection engineering, and you want to have a workshop where we learn from eachother in making valuable detection on public samples, than you should look no further! In this workshop we will use Ghidra and some famous public samples to identify quick detection engineering wins. false https://pretalx.com/orangecon-2024/talk/FKFSX9/ https://pretalx.com/orangecon-2024/talk/FKFSX9/feedback/ Workshop track 1 Workshop 2024-09-05T13:30:00+02:00 13:30 02:00 MIFARE DESFire is the stronger, slightly more expensive sibling of the MIFARE family of smartcards. This workshop aims to cover the basics of the card's functions as well as how the most important crypto works. After a short lecture, it is up to you to analyze captured DESFire traces of vulnerable reader implementations with a Proxmark3 and program your own DESFire card to bypass the reader's security. orangecon-2024-52005-getting-familiar-with-desfire Workshop track 1 Sebastiaan Groot en This workshop dives into the basics of the MIFARE DESFire smartcard - a popular smartcard for high-security access control and ticketing systems. The workshop will start with a short lecture covering important concepts of the DESFire standard: - What standards DESFire is built on top of - DESFire logical structure - DESFire authentication & cryptography - Analyzing DESFire with Proxmark3 - Possible pitfalls. Afterwards, the hands-on portion of the workshop starts. A set of traces of communication between a DESFire card and a card reader with implementation defects will form the basis of the challenges. Each participant will get access to a Proxmark3 and a blank DESFire card during the workshop, with the goal of "cloning" the card used in the trace and trick the card reader to let you through. **IMPORTANT**: This workshop requires you to bring your own laptop with Proxmark3 (Iceman fork) v4.18589 client software installed (https://github.com/RfidResearchGroup/proxmark3/releases/tag/v4.18589). Instructions on how to prepare the environment can be found under the "PROXMARK3 INSTALLATION AND OVERVIEW" section of the README. A working Proxmark3 and DESFire card will be provided for use during the workshop. This can be done on a VM with a USB3 controller configured, but expect occasional communication timeouts if you choose to do so. false https://pretalx.com/orangecon-2024/talk/7YRCCN/ https://pretalx.com/orangecon-2024/talk/7YRCCN/feedback/ Workshop track 2 Workshop 2024-09-05T11:00:00+02:00 11:00 01:00 Learn how getting better at cybersecurity can be both fun and educational using CTFs and practice machines! orangecon-2024-52455-hackthebox-ctf-methodology-hands-on-workshop Workshop track 2 /media/orangecon-2024/submissions/TTMYBL/Naamloos-1_YubzhCF.png Remco van der MeerJorian Woltjer en Join Remco van der Meer and Jorian Woltjer, for a unique and hands-on workshop where we'll explore the following points: - Introduction to HackTheBox & Capture The Flag (CTF) - Link to real penetration tests - Live Walkthrough of an easy HackTheBox challenge false https://pretalx.com/orangecon-2024/talk/TTMYBL/ https://pretalx.com/orangecon-2024/talk/TTMYBL/feedback/ Workshop track 2 Workshop 2024-09-05T13:30:00+02:00 13:30 01:00 Effective pentesting is labor-intensive, especially when it comes to validation and reporting. Standardization can help, but it may also inadvertently increase the workload. In this workshop, you will receive practical tools and strategies to reduce the workload by making standardization a part of the solution. Join us and discover how to streamline your pentesting processes, enhance efficiency, and achieve superior results without the added stress. orangecon-2024-54039-be-lazy-like-a-cat-making-pentesting-fun-again Workshop track 2 Brenno de WinterMischa van Geelen en Join us for an engaging workshop designed for security enthusiasts eager to improve their vulnerability assessment and reporting skills. In this session, you'll learn how to accurately describe vulnerabilities, detail reproduction steps, assess impact, and provide effective remediation advice. We'll introduce an advanced methodology that significantly reduces the time required for these tasks. Participants will gain access to specialized templates that streamline the vulnerability reporting process, making it more efficient and less time-consuming. After a brief explanation of the methodology, you will have the opportunity to apply the templates in practical exercises, gaining firsthand experience and enhancing your cybersecurity skills. This workshop is perfect for anyone passionate about security, looking to enhance their technical skills, and seeking efficient methods for vulnerability assessment and reporting. false https://pretalx.com/orangecon-2024/talk/3HFRVB/ https://pretalx.com/orangecon-2024/talk/3HFRVB/feedback/ Workshop track 2 Workshop 2024-09-05T14:30:00+02:00 14:30 01:00 It is a truth universally acknowledged, that finding and reporting vulnerabilities in software may be a daunting task. However little known, there are tools and techniques that may assist on this journey. CodeQL is a static analysis tool that can be used to automatically scan your applications for vulnerabilities and to assist with a manual code review. We can use it to find vulnerabilities in software at scale, in thousands of projects at once. Join me in this beginner-friendly primer about finding vulnerabilities in software with CodeQL. Perhaps, by the end of this session, you might get inspired and learn how to find your own. orangecon-2024-54474-finding-vulnerabilities-with-codeql Workshop track 2 /media/orangecon-2024/submissions/F7Q7ZG/security_research_with_CodeQL_VQEL42g.png Sylwia Budzynska en This session will introduce fundamentals of security research when looking for vulnerabilities in software via source code review. We will use an example of a simple vulnerability, walk through how CodeQL could detect it, and provide examples on how the audience could use CodeQL to find vulnerabilities themselves. We will also introduce how we could scale our security research to thousands of projects at once using multi-repository variant analysis. If you can, please set up the workshop codespace before the workshop by following the instructions in the workshop repository: http://gh.io/orangecon-2024-ws The codespace is basically a virtual machine from GitHub, which you can use for free for up to 120 hours, and this one will automatically set up everything you need for running CodeQL. After you are done remember to go to https://github.com/codespaces, select the three dots next to the codespace and choose “Stop codespace” so you don’t use up your hours. We are also going to set it up together during the workshop, so feel free to wait until the workshop day with setup. false https://pretalx.com/orangecon-2024/talk/F7Q7ZG/ https://pretalx.com/orangecon-2024/talk/F7Q7ZG/feedback/